You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -14,6 +14,7 @@ It can be used mainly for persistence, lateral movement or code/command executio
* Application whitelisting bypasses, changing the PE file hash (msbuild.exe for ex) without breaking the signature.
* Bypassing EDRs relying on specific LOLBINs' hashes for malicious code/command execution detection.
* Load signed drivers using a different hash, might help circumvent any EDRs watching for common vulnerable signed drivers using a pre-defined list of hashes.
* Embed encrypted shellcode in a signed PE file and use a stager (sigloader) of your preference to parse, decrypt, load and execute it.
* Endpoint security vendors tend to classify signed PE files as benign most of the time, embedding your unsigned code (shellcode ..etc.) in a signed PE file makes it a little bit hard to detect/flag.
* Bypassing endpoint security vendors relying mainly on the default WinVerifyTrust for signature validation.
